Today I am happy to announce 1Password for Teams, an exciting new way to use 1Password within a team environment!

Why 1Password for Teams?

Many of you already use 1Password with your friends, family and coworkers. So it’s hard to believe that when we first released 1Password nearly 10 years ago, there wasn’t even a way to share a vault with someone else!

Over the years we added features oriented towards teams, such as vault sharing. Thanks to these features and more, many companies are happily using 1Password today, including NASA, Basecamp, and Atlassian.

But a lot of you asked us for more: more control, easier deployment of vaults, and a simpler signup and billing process. We now have an answer for you, and best of all, it meets the privacy and security standards you expect from 1Password.

Introducing 1Password for Teams

1Password for Teams allows you to share the convenience and security of 1Password with everyone in your life. It gives you the tools you need to control and manage access to your most important information.

New to 1Password for Teams is the Admin Console, a central location to manage your team, vaults and items.

The Admin Console makes teamwork a breeze and it completely changes the way you use 1Password in a group environment. It’s packed with features you’ve been asking for, and several new ones you didn’t know you needed :)

Easily Bring New People On Board. Effortlessly invite new team members. Signup is super quick and you can even automate it by sending out a link to your entire organization.

Share and Revoke Vaults. New vaults appear automatically on all devices, without anyone needing to configure syncing. Changes, additions and revocations spread instantly to all devices.

Control Who Has Access to What. Not everyone needs the ability to see or change every password. Create read-only vaults, control who can print or export items, and even allow teammates to log in to sites without being able to see the passwords.

Recover Locked Out Accounts. We have never been able to reset your Master Password. With 1Password for Teams, we still can’t—but you can! Admins can recover account access for teammates, giving you a backup plan for emergencies.

These are just some of the things the Admin Console can do, and the Admin Console is just one piece of what makes 1Password for Teams so amazing.

A Secure and Private Foundation

As much as I love talking about the new features, the thing I’m most proud of is how everything is built upon a foundation of security and privacy. We’ve made it priority number one to ensure that you and your teammates are the only ones who ever have access to your shared secrets.

We encrypt everything on the client and do not have a copy of your encryption keys. Your keys are generated on your local devices and we use technologies like WebCrypto and Secure Remote Password to ensure that no unencrypted data is ever shared with us.

Please see our security page for more details on how 1Password for Teams is built from the ground up to keep your team’s secrets safe and private.

Sign Up Now!

Now that I’ve given you a taste of 1Password for Teams, you probably want to know how to sign up and how much it costs. I’m glad you asked :)

During the beta, 1Password for Teams is completely free for you and all your teammates. Once the beta ends, we’ll move to a monthly subscription model. I don’t have exact numbers for you right now, but we plan to be in beta for at least a few months, so you’ll have plenty of time for a test drive.

Oh, I almost forgot the best part: subscribing to 1Password for Teams gives you a lot more than just a web app. You and your teammates will also get access to our award-winning native apps for iOS, Mac, Windows and Android.

I Hope You Love 1Password for Teams

I’m super excited to finally share 1Password for Teams with you! We’ve kept it secret for a long time and it’s been incredibly hard not to spill the beans every time someone asked us for team features :)

I hope you love 1Password for Teams as much as we do. We’ve been using it ourselves and with our families for months and couldn’t imagine life without it.

It’s hard to believe we’ve been working on 1Password for 10 years now. While writing this post I had a fun fact for those who’ve been with us since the beginning: back when Roustem and I created 1Password in 2006, it was called 1Passwd and AgileBits was known as Agile Web Solutions.

I wasn’t able to fit this into the blog post as it got cut during editing, so I thought being the first comment was the next best thing :)

Bonus points for anyone who knows what our company name was before we changed it to Agile Web Solutions ;)

Thank you for taking the time to share with us how important Linux is to you! You’re certainly right that a Linux version would be a great addition to the 1Password line up.

As you say, 10 years is a lot of development time and indeed we covered ton of ground during that period. We started with “just” Mac, added iOS (iPhone plus iPad), Windows and Android and now Windows Modern. And of course, we needed to keep up will all the operating systems updates from Apple, Google, and Microsoft during that time. We even managed to squeeze in new features for 1Password, too! :)

Even though we were busy with all the above, support for Linux frequently made it into many design discussions. 1Password for Teams introduces a web app that allows you to view all your vault items and in the near future it will allow full editing of your items as well. There are a few hiccups on Linux that we need to iron out in the current beta to allow Linux browsers to sign up correctly, but we’ll get there soon.

Longer term we are planning on expanding support even further and I think you’ll enjoy what we have in store.

I just wanted to add to your 1PasswordAnywhere comment. You’re absolutely right that 1PasswordAnywhere is read-only, and so is the current web app in 1Password for Teams. We will be enabling editing capabilities soon, we just have to write a bit more code first :)

Thank you for your informative response. I’m certainly interested in having 1Password on Linux and the web app sounds like a really good intermediary solution, though I wouldn’t consider it for personal use as the main selling point for me was the ease of cmd+\ and setting up randomly generated passwords (which I now regret when I find myself retyping passwords from time to time).

I’ll eventually buy the Linux client once it comes out. Switching to Linux was a really bad experience. Breaking off from iCloud (especially after sending my whole photo library there) was painful, but at least I could download everything back. In case of 1Password I’m stuck with 1PasswordAnywhere which is not a solution for long-term use. Also, other password managers on Linux are just plain bad (or I’m just spoiled by 1Password’s awesomeness ;) ).

As for price, we don’t have all the details worked out yet. Our pricing page (https://teams.1password.com/pricing/) gives an idea of pricing because we agree with you that it’s nice to know the price before starting to use a service. We’re simply stating “Starting at $4.99 per user per month” for now as we’re still not exactly sure which features will end up in which pricing tier, but hopefully that gives enough details to make your decision.

I hope that helps. Take care and let me know if there is anything else we can help with.

$5/user/month is high enough that it’ll be a barrier for a lot of small teams, whether they be families, small companies, non-profits and whatnot. Also, for larger teams it’ll run into the similar problems, because it’s high enough to be An Investment.

For example, if I wanted to get this sorted for a client with about 90 users, we’d be looking at $450/month, $5.400/year, and $16.200 vs. $27.000 if you’re looking at a comparison to a purchased product amortised over 3 or 5 years respectively.

This is close to the baseline cost of running a custom Windows setup for Exchange and SharePoint on cloud servers, including licenses for the same number of users.

I understand that there is value in the service that you cannot get otherwise, but I am not seeing enough business sense in it, at this level :(

Regarding pricing for families, I see where you’re coming from. We added a section about Family Pricing to our FAQs you might enjoy:

Will you have a family pricing plan?

Sometimes products can price themselves for business use and ignore families entirely. We’re a family company, so we plan to do things quite differently.

While we can’t yet share any specifics at this time, we have some ideas that we think will make you very happy. Families are absolutely on our minds — after all, what team is more important than your family? It’s like we always say: a family that is secure together is secure together. :)

We’ll be updating the 1Password for Teams Pricing page with details as they become available. For now, there is nothing to lose by signing up for the beta, since 1Password for Teams is free during the beta period.

I suspect we will do something similar for non-profits as well when the time is right. Pricing is important and we will be being more explicit about it in the future, but for now we’re focused on polishing the existing UX in 1Password for Teams, as well as adding a few special features that we think you’ll like :)

I’m thinking along similar lines and wondering if there will be a one-time purchase for a certain number of licensed users with paid upgrades.

I see a lot of software companies using this pricing strategy and it makes budgeting much easier in a small business where cash flow can be very sporadic. That way I can buy it when times are good, and don’t have to cancel my subscription if cash gets tight for a few months, then upgrade if/when a new version comes out and the budget allows for it. Otherwise, It’s a no-go for me and my team from the start since it’s like tacking on overhead forever via a subscription.

Honestly I haven’t given that much thought yet so I’m not going to speculate one way or the other.

During the beta period everything is completely free for as many users as you want, and exporting is a simple process if you decide not to subscribe when the beta ends. So now’s a great time to learn how invaluable the teams features are :)

Once we have the things polished and a few special new features completed, we’ll revisit the pricing discussion.

How about a “Team Lite” that would only store 5 passwords. The cost could be a flat fee of $15.00. Of course it could always be upgraded. This is affordable for the smaller guys and would allow for a revenue stream for you.

Hi Agile Bites-Team. What a great announcement.
I can imagine using this for our family as well as for my business.
The pricing discussion is quite interesting.

I’d like to ask you to have some “Pro”-Features for the business account (like passwords for RDP-connections, TeamViewer-connections, software licenses, …), which a lot of people would be willing to pay for and some “standard features” (family amazon account, dads credit cards, Passports, IDs and driveling licenses, …), which you might consider offering for free for families, since the users will already have paid the software.

I know it’s hard, but give it a go.
And try to keep in mind: If you give nice stuff to families for free, you make those people dependent from your software and “grow” future clients for the “Pro”-features ;-)

Having a Free and Pro tiers is something a lot of companies do, but it’s tough to make a free tier that is compelling enough to use but limited enough to encourage people to upgrade to the paid tier. Many companies have gotten this wrong over the years and gone out of business as a result. We plan on being here for a long time so quite frankly I don’t want to take the risk, nor do I want to get Venture Capital funding to make it possible, either :)

We have some great ideas for Families and I think you’ll enjoy them. Please give us some time to get the beta rolling and we’ll revisit pricing then.

Dave,
I used to use Bento for all my account and password needs. I have owned 1Password for quite a while but I am finally getting around to moving my account info to 1Password as Bento is no longer supported by FileMaker. I don’t know why I put it off so long as it has been very easy to learn. I would like to suggest as a companion to the new 1Password for Teams you might consider “1Password for Families”. I would like to be able to sync my files with my wife’s Mac as well as our phones and iPad. I don’t know if the pricing on the Team version will be too expensive to be able to sync just one more Mac. Great product and I look forward to seeing the Team or “Family” pricing when available.
Dale M.

When using 1Password for Teams we take care of everything for you. New items, vaults, and changes automatically appear on all your devices without you needing to configure syncing or use any 3rd party service.

For the personal version of 1Password, we continue to support Dropbox, iCloud, and Wi-Fi Sync. You can also use Folder Sync and allow OwnCloud to sync the folder between your Mac and PCs, and then use Wi-Fi to sync to iOS. This user guide article covers this in more detail:

Will there be a possibility to NOT let 1password “magically” sync the passwords (i guess this refers to storing them on your / some amazon cloud / rackspace… whatever servers)? I think storing sensitive data on servers we don’t control would be a no go.

Another Question: Why won’t there be a “Pay and use forever” (aka buy a license) Model? I mean: What if some company (for whatever reason) isn’t able to pay their (monthly) bills for a certain amount of time. ALL their CRITICAL login data won’t be accessible for them. Depending on what type of company we’re talking about this could harm them (by not being able to access servers, accounts…) even more.

In answer to your second question, anyone wanting to “Pay and use forever” can simply purchase 1Password and not subscribe to 1Password for Teams. You and your team would be able to use all the features of 1Password; you simply would not receive the additional features of the team version, including:

Share and sync without the need of a third-party sync service

Deploy new vaults to your teammates automatically

Invite new members in bulk

Set granular access permissions for each teammate on each vault

Revoke access to vaults and suspend/delete team members

Recover accounts if your teammates forget their Master Passwords

As for accessing your data, we will never lock you out of your account for not paying. If you chose not to continue paying (when paying is even an option – during the beta everything is free) your account will go into read-only mode. You won’t be able to create new vaults or items, but you and your teammates will still be able to sign in, view, and export all your data.

1Password will not magically sync your data to anywhere you don’t explicitly tell it to. Your vaults and items stay where you put them and you decide what to do with your data, not us.

In other words, 1Password for Teams is completely opt-in. And if you do opt-in, you can continue to use your personal vaults exactly as you are today. Any team vaults that you are given access to will stay completely separate.

I’m not sure I’m following you 100%, but it sounds like you want to use 1Password for Teams but instead of having us manage everything for you, you would rather host it yourself. Is this correct?

If so, this isn’t possible with 1Password for Teams at this time. Perhaps this could change at some point in the future, but given how many moving parts there I wouldn’t expect this any time soon. I fear there are just too many things that can go wrong and supporting so many different configurations would be very difficult.

If you’d prefer to manage everything yourself, you can always use the vault sharing feature in 1Password:

As I mentioned above in my previous comment, you won’t get access to all of the 1Password for Teams features like the Admin Console for easy team management, but it would work fine and I know many companies have been doing it this way for a long time. 1Password for Teams was designed to simplify this process, but the old way still continues to work fine.

I hope this helps, take care and please let me know if there is anything else I can help with.

I don’t remember AgileBits ever having a space in it, Jim, but I’m sure we’ve had our share of typos over the years :)

As for 1Password.com, you’re totally right. In the beginning this domain wasn’t available and since we were just starting out and had no VC money, we couldn’t afford to buy it at the time. So we went by 1Passwd for quite a while. Thankfully awesome customers like yourself supported us over the years so we were able to finally purchase it.

It is a little premature to talk about converting business licenses at this point as we still need to finalize pricing. Once we complete the beta process we can absolutely work with you to figure out what works best for you and your company. At that time reach out to us at support@1password.com and we’ll take it from there.

1Password has fantastic native apps for Mac, iOS, Windows and Android. The 1Password apps for Mac and iOS already have full support for 1Password for Teams, and the Windows and Android apps will join in the fun by the time of our official release.

1Password for Teams also has a fully featured web app that allows you to view the items in your vaults use the Admin Console to manage your team. You can sign into the web app on any platform (including Linux) that supports Chrome, Firefox or Opera.

As for families, 1Password for Teams is designed for teams of any size. Teams of all shapes and sizes are enjoying the benefits of 1Password, all the way from startups to members of the Fortune 500. Teams aren’t limited to companies, either. We’ve been using 1Password to protect and share with our own families as well. :)

No worries about missing the FAQs; it’s happened to everyone at one time or another :)

You’re right that sometimes products can price themselves at the corporate level and ignore families. We’re a family company so we plan to do things quite differently – we have some ideas that I think will make you happy. I can’t share any specifics at this time but I can say that families are absolutely on our minds.

Hey Dave. I was happy to see your reply. I must say the “monthly plan” thing triggered very negative feelings in me (a “there you go” kind of feeling), the first time I’ve experienced this with an AgileBits product, and I’m an old customer…
I basically want to control what my life-partner (just because he’s very little tech-savvy and prone to blunders with his shiny new toys) and I share in a common vault, and that’s it. That’s just 2 persons, and I would be really disappointed if that required to pay the price of, say, a 10 Gb cloud storage monthly plan.
So, yeah, super news, congrats AND fingers crossed!

You dodged the issue highlighted by the parent: There is no native GNU/Linux support by 1Password and it’s a highly desired feature for a lot of organisations, and 1Password for Teams is aimed at those organisations.

It really is a great question, Tarjei. From the FAQ (and my reply to Bruce above):

1Password has fantastic native apps for Mac, iOS, Windows and Android. The 1Password apps for Mac and iOS already have full support for 1Password for Teams, and the Windows and Android apps will join in the fun by the time of our official release.

1Password for Teams also has a fully featured web app that allows you to view the items in your vaults use the Admin Console to manage your team. You can sign into the web app on any platform (including Linux) that supports Chrome, Firefox or Opera.

We haven’t had enough time to think that far out to be honest, Keehun. The issue with free tiers is it’s incredibly difficult to balance things in such a way that the free tier is amazing enough to use yet the higher tiers are compelling enough to upgrade to. It’s certainly possible but many companies have gotten it wrong and gone out of business. We plan on being here for a very long time, so it’s not a risk we want to take any time soon :)

First I gotta say thank you for using 1Password! We wouldn’t be here without you :)

As for personal and team vaults, they will stay completely separate. Once you join a team, any vaults you are given access to will automatically appear in 1Password, and your existing personal vaults will stay exactly where they are. Items will stay in there respective vaults until they are explicitly moved.

I hope that helped answer your question. By the way, I think you might enjoy this list of Frequently Asked Questions and answers we wrote up
for existing 1Password users:

I have been using 1password since 3 years now and I think its a great tool. I’m excited to know about these new features. I have been using multiple vaults over Owncloud and thought that there were a lot of things that were missing. It looks like the new features will get most of the problems sorted.

I’m just wondering how the automatic sync would work. I suppose all the users will have a unique Id. Using which 1password would identify them . Which would help in removing the users access since there is a unique Id.

First of all, thanks for your longtime support, Junaid! We don’t take it lightly. We literally couldn’t work at our dream jobs without the support of folks like you.

We host your Team vaults, so you can access them anywhere without worrying about sync. When you add a new device, all you need to do is sign in. It really is that simple. There is even an audit trail of who changed what and when.

Revoking access can be done from the Admin Console. You can remove a Team member from a vault, suspend a Team member entirely from a team, and — if you want to make the suspension permanent — delete them from the Team.

There is even another way to limit someone’s access without deleting, suspending, or removing them from a vault. In fact, if you invite them as a Guest, you may not ever need to revoke their access. Inviting a Guest is ideal for when you need to share any credentials with infrequent collaborators or anyone outside your team. I hope that helps. Let me know if you have any other questions. :)

Today’s announcement is about 1Password for Teams which does not directly affect the existing browser extensions. The 1Password desktop apps and extension work just as well as ever to save and fill passwords in Safari, Chrome, Firefox, and Opera. This is true for personal vaults as well as new Team vaults. We don’t have anything to announce regarding a standalone extension at this time, but thanks for letting us know you wold be interested in something like that.

If you just use 1Password by yourself, 1Password for Teams probably isn’t something you need right now. But if you count “shared vaults” among your favorite features of 1Password, it may could be quite the treat. Plus, 1Password for Teams is much, much more than just another way to share vaults. Here are just some of the things you can do with 1Password for Teams that aren’t possible otherwise:

• Share and sync without the need of a third-party sync service.
• Deploy new vaults to your teammates automatically.
• Invite new members in bulk.
• Set granular access permissions for each teammate on each vault.
• Revoke access to vaults and suspend/delete team members.
• Recover accounts if your teammates forget their Master Passwords.

If any of these features intrigue you, we heartily recommend you try out 1Password for Teams for yourself!

Oh, I almost forgot to mention: you can invite people as Guests to your team. Inviting a Guest is ideal for when you need to share any credentials with infrequent collaborators or anyone outside your team. :)

As Khad pointed out we don’t currently integrate with any IAM solutions, but when I read your question I thought you were asking “will we ever add” support, so I thought I should jump in and give a followup answer just in case :)

IAM is certainly something that has been on our minds as we developed 1Password for Teams. For the initial release we most likely won’t have any IAM integrations, however it is something that’s on our radar. As Khad mentioned our use of SRP to strengthen your security will make integration with other tools harder, but we have some ideas on how it might be possible.

I hope this helps. Please let us know if there is anything else we can help with.

If you’re specifically talking about the 1Password for Teams webapp, however, we are indeed low on keyboard shortcuts there. That’s something we’d love to add and I just opened an issue to make sure we don’t lose track of this :)

Thanks for helping us make 1Password the best it can be. Please continue to share your feedback with us :)

We added the new team features into 1Password 5.5, which requires OS X Yosemite (10.10) or higher. It’s quite difficult to back port these features into the earlier OS X releases so we made the decision not to.

As much as it hurts to be unable to help awesome people like yourself, the native apps really need to move forward. Keeping up with Apple’s current version is hard enough, and we extended support to their previous OS version as well because we knew a lot of users needed that. To go two versions back, however, is just too much for a small team like ours.

The good news is you should have no problems using the 1Password for Teams web app on older OS versions. As long as it supports the latest web browser versions you’ll be able to view your vault items, copy passwords, and manage your team.

I hope that helps. Please let me know if there’s anything else I can help with.

Thanks again for the kind words. Comments like yours are fuel for my fire and help me keep answering everyone :)

I know exactly where you’re coming from with your “hope, we could step up a bit here…” comment. We’re constantly upping our game here so it’s very tempting to jump on this problem and backport new features to old operating systems. It’s a large undertaking as every OS version has its own quirks and feature sets, but it’s certainly possible.

The thing is, we have several other “large undertakings” that also need to be done. In just the comments on this post alone, we have some huge things like further Linux improvements, IAM integration, item update capabilities in the web app, and more. Plus we have to keep in mind that soon Apple, Google, and Microsoft will be showing off their new OS versions and we’ll need to work hard to take advantage of all the new features they will have. Then of course there’s the hundreds of other features and improvement requests that we have collected over the years and our own personal wish lists :)

We are going to continue to step up in these areas, but updating the native apps to add new features to older operating systems is not something we’re targeting. The thing is, what do we do for awesome customers like you? The good news is we now have a web app that will work on any operating system (new and old) that supports the latest web browsers. We’re going to continue to improve the web app and the browser plugins and hope to someday support automatic login filling there, even on older systems.

Take care Dirk, and please continue to reach out to us whenever needed. Hearing from awesome customers like yourself keeps me passionate :)

Hmm, I see you are using AWS, which probably means US-East. Will it be possible for companies outside the US to use AWS datacenters NOT in the US to store their synced data? As in, for example, Frankfurt or Ireland? Preferably Frankfurt, if you’re making a choice in Europe.

As for DNSSEC, you should reconsider using AWS DNS if you want that within a reasonable timeframe. Pick a DNS provider that will allow you to do it now, instead of at some unannounced future date? Also, how are you protecting ‘1password.com’ and related domains against domain hijacking?

Also, with regard to modern TLS and limited cipher sets; you’re still supporting 3DES at the moment, and have weak 1024-bit DH keys active. I would expect that to be TLSv1.2 only, with ECDHE and nothing else?

Kind of expecting the certificate to be EV as well, with Certificate Transparency?

All in all this looks quite interesting, but I think there’s a bit more ops work to do :-/

Regarding AWS, you’re absolutely right, we chose US-East as as our region. We currently have multiple availability zones but are running within a single region. I suspect that over time we will be moving towards multiple regions and having locations in Ireland or Frankfurt would be awesome. I’m not really sure how this will work from a UX point of view, however. Would this be something a user needs to chose during signup or would we automatically select data centers based on your IP? I’m not sure yet and this is one of the main reasons we’re using a single AWS region for now.

Regarding modern TLS and limited cipher sets, I believe you ran your tests on the https://teams.1password.com home page. We host our home page on CloudFront and it does indeed allow weaker suites. CloudFront only receives an A grade from ssllabs, but from what I’ve read CloudFront will be removing the 1024-bit DH key at the end of the year. I’m not sure if there is anything else we can do to solve this on our end but I have asked our devops team to look at it again. Just to be certain, which exact URL were you testing?

If you scan our main server, however, you’ll see that we received an A+ grade from ssllabs. We have a lot more control over our own server than CloudFront and were able to make the changes needed to go from A to A+. We’re not at 100% yet and will keep trying, but we also need to balance this with the fact that not all users upgrade as fast as we’d prefer.

Regarding protecting 1Password.com and DNSSEC, using DNSSEC is an excellent suggestion, and we are looking at alternative DNS providers that can offer that. I can’t promise when this will be done, however.

As for the EV Certificate, this is an interesting problem we have. I’d love to get one but as far as I know it’s not possible to get an EV Certificate for a wildcard domain. Perhaps we should get an EV Certificate for the home page and perhaps the signup page as well. We could then use a non-EV certificate for everything else? That might be the best compromise for now.

Last but not least, I liked your “there’s a bit more ops work to do” comment as I believe there will never be an end to it. This is a good thing. Security is a process and we’ll continue iterating as time goes by, but hopefully I’ve answered your questions clearly enough to make it clear that it’s not something we take lightly.

Thanks again for taking the time to discuss these issues with us. I’d be happy to continue over email if you’d like (dave at agilebits dot com).

No, you would just allow the user to make a selection, based on where they want to store their data, and create their account there. You never share anything between the regions, and operate them as completely separate sets of infrastructure, sharing only deployed code.

I ran the SSL Server Test on your main ‘1password.com’ domain, not on any specific subsite. It points to AWS EC2 instances, and gets a ‘B’;

The fact that you’re unaware of this is not really encouraging, and I suspect that you haven’t looked at the test since the Logjam vulnerability became known, because you’ve been at ‘B’ ever since May/June of this year. Oh, and your CloudFront config doesn’t offer DHE ciphers, so you do indeed get an ‘A’ there, but the fact that you’re using a CDN has its own problems. You’re basically letting someone else, on American soil, MitM your secure connections, and have no control over that whatsoever.

There’s so much more to it than getting that A+ at the top, too. There’s no reason to have TLSv1/TLSv1.1 support when you control the clients, no reason to offer static and/or SHA1 ciphers, because everything supports better.

Also, it’s a CDN without IPv6 support, plus EC2 instances without IPv6 support. Using an ELB is not really an option to remedy that either, so … you’re deploying a new service, IPv4 only, in 2015, well after Apple made the ATS requirements for iOS 9, which require support for IPv6, known.

As for DNSSEC support, competent ops people could easily do that in less than a week. It’s not rocket science, not ‘still new’ like HPKP and whatnot.

The EV certificate is not really a problem either, just limit the amount of subdomains you have active, and buy a multi-domain EV certificate for your browser clients. For your apps you can basically self-sign as long as you pin the root that signs within the app.

As for there always being more work to do; of course. But so far you’re starting at a disadvantage because you’re not building it right from the start, and that’s disappointing.

I really like 1Password, and one of the reasons I keep on using it is because your software engineering has been and continues to be sound. This doesn’t necessarily translate into sound operations engineering though, and many fail when they make this jump. Don’t be one of them, please :)

—

P.S.: Don’t forget to make sure that you’ve protected yourself as much as possible from domain hijacking; perhaps consider a corporate registrar that provides additional safeguards against changes made?

Regarding different regions and “never share anything between the regions”, I fear that would make for a pretty bad user experience once we start adding additional features. It will be very hard for us to explain to customers that they cannot perform feature X because they are in a different region. From what I can tell, you would personally enjoy having a self hosted solution so I would suggest we take that approach instead.

As for the SSL test you ran, thank you for including the exact URL. I see what’s happening now. SSLLabs automatically tests the www. variation in addition to the naked domain. While https://1password.com was an A+, https://www.1password.com was redirecting to our support page, which is ranked a B. The rewards for attackers on our support page are very small so we chose to be more accepting of older clients. It’s probably time to start rejecting older clients, but it’s always a tough balance as it’s the older clients that often need the most help.

Regarding DNSSEC and IPV6, we switched to CloudFlare and Hover this week. The combination of these two services allowed us to enable DNSSEC and we’re IPV6 now as well. It would be great for you to poke around again now.

As for wildcard certificates, I’m not sure I’m following your reasons for saying they are risky. If we were sharing our wild card certificate across all our servers and services, I could see the risk as any compromised service would leak the private key for all servers. But we’re not doing that. We have a wildcard cert that’s specific for the 1Password for Teams service. Does that address your concern or are you coming at this from a different angle than I am?

I hope that helps clear up some of the confusion. I’d love to talk more but the blog comments will be closing here soon. I’ll reach out to you over email to keep the conversation going.

I like the idea of 1Password for teams a a solution with a trusted company as agilebits. I am eager to see the magic you created in this new solution. Thank you for all the great work. We are really happy that you survived the Palm disaster and are now one of a kind to provide those great apps.
And as a side note – Linux is not only one operating system even big companies like Google do not support applications like Picasa – or did not the last time I was looking.

But who knows maybe you will even solve that diversity problem for the Linux users – I would not be surprised. Thanks for the great products and articles about making our lives better and more secure

You will be pleased to know that 1Password for Teams has what we call Better Than Two-Factor™ through the use of an Account Key. From our “Understanding the Account Key” article (https://support.1password.com/account-key/):

With traditional two-factor authentication, an existing device is used to authorize a new one. But the existing device is only used for authorization. The one-time passwords are not used to harden the encryption.

Your Account Key works in much the same way. It is required to authorize a new device. However, your Account Key is actually used to improve the encryption of your data. Both your Master Password and your Account Key are required to decrypt your data.

As Khad already pointed out, we designed 1Password for Teams so that every team member has an Account Key. The Account Key takes the idea of 2FA to the next level. It doesn’t just authenticate you with our servers; it also plays a direct role in encrypting your data. This strengthens your Master Password exponentially, and unlike typical 2FA, it can’t be reset, intercepted, or evaded.

While the Account Key is designed to protect you against a much wider range of attacks than typical 2FA, there is one narrow aspect in which it does not protect you. Since the Account Key is stored on your device, it does not protect you from compromises of your computer, which is something that typical 2FA provides some limited protection against. For this reason, we are considering adding support for a “typical” 2FA approach.

Hi Dave – I read through the white paper and love the thought that has gone into crafting each aspect of 1Password for teams. The description of using the Account Key as another factor required for decryption seems like a brilliant idea to me, but it would seem to me it is more likely for an end user computer to be compromised (especially if logging into the web version of 1Password – which might occur when traveling, etc.) rather than the server/database so I would strongly consider support for typical 2FA. The ability to use the web version of 1password – as opposed to limiting it to client access only – will likely increase the availability/convenience but also the risk of compromise as individuals will use it on computers that they do not necessary “own.”

Thanks for sharing your thoughts on the Account Key and second factors.

While you’re right that compromising a device is a lot easier than compromising a server, keep in mind that the vast majority of people store their second factor on their phones in an easy to get place. All one needs to do is swipe your phone and open up Authy (for example) and they then have access to your “second factor”.

Now, if a completely separate device was used for the second factor, that would be a different story. That’s just not how I see most people using 2FA.

Dave
That is great news and I’m quite excited about the offer to beta test.

This goes into the right direction when it comes to pass on security information to heirs (ref our previous exchange).

However it seems to me that the pricing doesn’t make sense financially for a family: assuming a family of 3, that would mean a cost of $180/yr which is nearly the double for a 1T Dropbox account, or compared to the team edition it would represent the third of what Dropbox would cost for unlimited storage. I’m comparing this to dropbox because this is likely one of the most used way for user to share with other family members, it does not offer as many features and levels of granularity as 1Password for team but in comparison your new service will be a hard sell. I would recommend considering a “Home” plan or something similar with maybe some restricted functionalities which are anyway of less value for a family (e.g. you could limit things to 4 levels only: personal, personal with parental control, spouse, all).

I understand well the need to provide services which will create re-occuring fees, I don’t remember when was the last time I paid something to AgileBits (it must have been v5) and I’m well aware that a lot of efforts have been put into it and I benefited from many many free updates be it on iOS or on Mac. I feel more comfortable with the “pay once use forever” than the subscription model but I don’t mind paying regularly for updates as to continue funding the development. However I feel that the fees asked for this new service are too steep.

A worry also: until now the strength of 1P was to allow seamless synchronisation via iCloud or Dropbox. Dropbox sharing made collaboration possible as a “mini 1P-team”. Now with the new service, there is an inherent conflict of interest for AgileBits: favouring the subscription service by cutting part or all of the “free” sync functionalities via Dropbox. There should be a clear commitment that these functionalities will remain untouched and eventually continue to improve regardless of the subscription service. Otherwise some users might leave 1P and fund alternative.

Personally: the more success AgileBits has, the more secure I feel to entrust 1P with my information for the long run! Even for the day when you and I are long gone.

Until then: feel free to come with a super duper v6 and I’ll be happy to purchase it again to support you guys!

Signing up for 1Password for Teams is entirely optional. Your existing 1Password licenses are as good as they’ve always been.

There is one perk that might catch your eye, though: subscribers to 1Password for Teams have free access to the latest versions of the 1Password apps on every platform.

We’ve been working hard on 1Password for Teams, and all the while we’ve continued to make 1Password better for everyone with awesome new features like Time-based One-Time Passwords, Large Type, and Apple Watch support. These are only three of the hundreds of new features and improvements we’ve added.

And we’re not slowing down. The apps you know and love are here to stay. They are an incredibly important component of 1Password for Teams, and the existing sync options are not going away.

We are definitely committed to providing a great way for families to use 1Password, and we haven’t worked out all the details about pricing yet. But you can be sure that we are using 1Password for Teams with our own families. It’s a consideration near and dear to our hearts. :)

I understand where you’re coming from with respect to the price for an entire family. I had a similar conversation above where the worry was sometimes products price themselves at the corporate level and ignore families entirely.

We’re a family company so we plan to do things quite differently and we have some ideas that I think will make you happy. I can’t share any specifics at this time but I can say that families are absolutely on our minds.

Regarding passing your information on to your heirs, yes, 1Password for Teams is a step in the right direction. We have the concept of a Recovery Group now so you can control who on your team is able to restore access to your account if you ever lose your Account Key or forget your Master Password. This notion could be extended to allow your heir or executor to gain access to your vaults. This is still a ways off as there’s some important aspects we need to take under consideration, but the general idea is sound.

As for syncing using Dropbox, iCloud, and Wi-Fi, those are all still available and we have no plans on removing them. You asked for a commitment that these would stay and continue to be improved. This sounds reasonable and in years past I have made similar commitments, but it’s hard to guarantee anything about the future. Who knows what changes Apple or Dropbox have in store for us? Because of this I think it’s better to talk about the past than speculate about the future. As Khad mentioned, we’ve been working on 1Password for Teams for two years now and during this time we’ve had hundreds of updates to 1Password. Many of these improvements have been focused on syncing over Dropbox, iCloud, and Wi-Fi.

If you haven’t already, I invite you to checkout our release notes and see how busy we’ve been. 1Password for Teams requires a strong 1Password to build upon, so we won’t be slowing down :)

I hope that helps Chris. Take care and please let me know if there is anything else you’d like to discuss.

Thanks for your answer, it sounds reassuring to me and I appreciate that. I also agree that Dropbox and/or Apple can make changes beyond your control. Let’s see how future will turn out to be. I think the thing you cannot talk about but that you are implying is enticing :)

In any case, I’ve applied for the beta test and I’ll be happy to experiment and participate in the project.

1Password for Teams absolutely will work on Windows, but at this exact moment, only the OS X and iOS betas have support for teams built-in to the native clients.

We will be adding support into the current 1Password for Windows app soon, and we’re also working on an entirely new app for Windows 10. 1Password for Windows 10 is in alpha testing and does have teams support, but it is an alpha at the moment. Windows 10 apps are completely sandboxed so we needed to do things in the Windows 10 way, so it’s important to note that there is no browser extensions or similar features at this time.

Aside from the native clients, 1Password for Teams has a new web app that lets you access your vault items online, as well as manage your team and vaults. This web app works great on Windows so that might be enough for you if you’re also using iOS or OS X currently. If you’re 100% Windows, then you will need to wait for us to add edit capabilities to the web app before you can move over.

We hope to have much better Windows support “soonishly”. I always get in trouble for promising dates, so I’m going to intentionally leave that vague for now :)

Thanks again Dave, take care and please let us know if there is anything else we can help with.

Our developers are working to implement Teams support on Android just as soon as possible! We’ve got more than a few Android-users on the AgileBits team, and they’re just as excited as you are to get their hands on their teams data on their devices.

I can’t spill any details on the ‘when’, but I’ll be happy to let them know that you’re hoping to see Teams support on 1Password for Android soon. :)